21 March 2016

Traffic Direction Systems (TDS)

Last weeks
we are detecting through Sonda
Ariolo a trojan infection called Keitaro TDS which redirects
HTTP request of users to malicious websites to download malware and
compromise their systems. At first glance it seems that although the
public IP is from Russia and threat intelligence engines like OTX and
virustotal don't categorize it with bad reputation or malicious IP,
when we analyze in depth, we are going to find out that it has lots
of domain name register against the same public IP. How have they
avoided to be detected by threat intelligence? Maybe with DGA,
who knows!!

What is it
a TDS or Traffic Direction System? At the beginning it reminded me a
load balancer which can analyze the HTTP header to send the user
request to the proper web server. For instance, a mobile user with an
iPhone is redirected to the mobile web page version while an user
with a laptop is redirected to the normal web page. This is done just
looking at User-Agent attribute inside the HTTP header. But … What
is it a TDS? Actually, it is a system which can analyze users' system
settings to gather information of users like their browser, IP
address, language, Operating System, etc and TDS along with this
information and web traffic redirection techniques like server-side
redirection, iframe redirection, video redirection, etc redirect our
request to a web server.

Is this a
malicious activity? Of course it isn't, it is legal but it can be
also used for malicious activities. In fact, there are many TDS
services out there like Keitaro
TDS or WapEmpire
which help publishers and advertisers earn money with advertising
campaigns. However, these services can be also used by cybercriminals
to choose either specific targets or wide-ranging groups, depending
on their geographic locations, software preferences or language
settings to deploy and distribute malware and to steal critical
information. For instance, they can redirect users' traffic to
pharmaceutical websites in the morning and to adult websites at
night, or they can redirect unwanted traffic to default website like
Google or Yahoo and wanted traffic to pay-per-click (PPC) websites to
earn money.

How does
it work? Mainly it works with business partners or Partnerka, which
is a Russian word. On one hand, there are people who compromise
end-user systems creating a botnet from where they request legitimate
sites. On the other hand, there are people who compromise websites
injecting 0 x 0 iframes capable of handling requests from invisible
iframes. Besides, there are people who manage TDS systems to filter
and redirect traffic to make money.

Today,
this technique is also used by Black Hat SEO to make aggressive
campaigns by those who are looking for a quick financial return on
their web site. However, this trick can be banned by search engines
banning your web site.

Regards my
friend and remember, drop me a line with the first thing you are
thinking.